Home » Data Protection » Malware/Cybercrime

News

Judge Orders Palin to Preserve Yahoo E-mails

Messages that concern state business from hacked account must be saved, Alaska judge rules

By Gregg Keizer, Computerworld

October 14, 2008 — CSO —

A judge in Alaska has ordered Republican vice presidential candidate Sarah Palin and others in her administration to preserve e-mail messages in their personal accounts that relate to state business, an Anchorage newspaper reported over the weekend.

The ruling covers the Palin Yahoo Mail account that was hacked last month.

According to court records, Anchorage Superior Court Judge Craig Stowers handed down the order Friday as part of a lawsuit filed by former state worker and activist Andree McLeod earlier this month. McLeod has sued both Palin and the governor's office to force the preservation of personal e-mail messages.

Palin's e-mail has been in the news since someone illegally accessed her Yahoo Mail account four weeks ago and published some messages on the Internet. Last week David Kernell, a Tennessee college student and the son of a longtime Democratic state representative, was indicted by a federal grand jury for resetting the password of the gov.palin@yahoo.com account and then accessing its messages. Kernell, 20, pleaded not guilty to the single charge last Wednesday.

Palin's office must preserve all e-mails to or from personal accounts belonging to her and her staff, starting from Dec. 4, 2006, "whose content relates in any way to the conduct of official business of the state of Alaska," reported the Anchorage Daily News last Friday.

The problem of mixing personal accounts with those sanctioned at the workplace is widespread, said Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark Inc. "I think that this is extremely common, and also not something that chief information officers want to think about," said O'Donnell in an interview conducted via instant messaging. "Most will scold their employees to not send corporate e-mail from personal accounts, but there isn't much they can do about it."

O'Donnell cited several dangers of mixing personal and official e-mail accounts that in some cases can include regulatory violations. "If an organization is heavily regulated, like a financial service firm, using private e-mails for company business is a violation of regulations like Sarbanes-Oxley," he said.

"[And] personal accounts may not be as protected as corporate e-mail accounts," O'Donnell continued. "An [attacker] who wants to gather critical corporate information may target a CEO's personal account before they target their corporate account."

Earlier this year, McLeod discovered that Palin routinely used a personal e-mail account for public business after she had asked for copies of messages from Palin aides. Palin's use of a personal account, specifically a Yahoo Mail account, made the news and was cited in the message left by the hacker, identified only as "Rubico," on a popular message board early on Sept. 17.